SonicWall SMA appliances targeted in zero-day attacks (CVE-2026-15409, CVE-2026-15410)
SonicWall has fixed two actively exploited vulnerabilities (CVE-2026-15409, CVE-2026-15410) affecting its Secure Mobile Access (SMA) 1000 Series appliances, and is urging customer organizations to upgrade to a fixed firmare version and search for evidence of potential compromise.

If the outlined indicators of compromise are present on the system, the company advises re-imaging (hardware) or re-deploying (virtual) appliances, changing user and administrator passwords, and resetting TOTP tokens.
The vulnerabilities
SonicWall SMA 1000 series appliances are secure remote access (SSL VPN) gateways designed for medium-to-large businesses, multinationals, government agencies, and managed security service providers.
CVE-2026-15409 is a critical server-side request forgery (SSRF) flaw in the SMA1000 Appliance Work Place interface, which may allow remote unauthenticated attackers to “cause the appliance to make requests to unintended location.”
The high-severity code injection flaw in the SMA1000 Appliance Management Console (CVE-2026-15410) may allow remote attackers authenticated as an admin to execute arbitrary OS commands and achieve remote code execution.
In attacks observed so far, the two bugs are being exploited in tandem.
“We have confirmed that these vulnerabilities are being actively exploited in the wild and are not unique to SonicWall,” a company spokesperson told us, and said that upon discovery, the company investigated the issue, developed and released a firmware patch, and notified impacted customers.
SonicWall sent an alert to customers in advance of the publication of the security advisory, advising them to get in touch with SonicWall Support to receive the hotfixes (v12.4.3-03453 and 12.5.0-02835) before they are made available to the company site on July 14, 2026.
The company also developed a script they can run on behalf of affected customers to assist with resolution, and mitigation efforts are already underway, the spokesperson added. “Our support team is assisting customers through instances of suspicious activity on a case-by-case basis.”
Patching alone is not sufficient
SonicWall SMA appliances and firewalls are often targeted by attackers, sometimes by exploiting zero-day, other times by leveraging old, previously known vulnerabilities.
CVE-2026-15409 and CVE-2026-15410 affect SonicWall’s SMA6210, SMA7210, and SMA8200v appliances. Affected firmware (platform-hotfix) versions are:
- 12.4.3-03245
- 12.4.3-03387
- 12.4.3-03434
- 12.5.0-02283
- 12.5.0-02624
- 12.5.0-02800
“It is important that customers understand patching alone is not sufficient. Even after applying the update, we strongly recommend reviewing logs for indicators of compromise and following the guidance in our KB article closely,” the spokesperson stressed.
Adam Babis of SonicWall PSIRT has been credited with discovering and reporting the two vulnerabilities.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
